Risk Ledger is a GRC dashboard that keeps track of your security risks, your policies, and the proof your auditor asks for — all in one place. Your first entry takes two minutes. No compliance background needed.
Open risks
14
Controls active
38
Audit readiness
71%
Things that need attention
ISO 27001 coverage
Compliance deadlines
66
days
GENIUS Act · Jul 18, 2026
81
days
EU AI Act · Aug 2, 2026
What Risk Ledger actually does
Think of it like a shared notebook your whole team can use — where every security risk, every policy, and every piece of proof lives together, connected, and ready to show an auditor on any given day.
Add anything you're worried about, in plain language. Risk Ledger scores each one automatically by how serious it is and keeps a prioritized list so nothing falls through the cracks.
Think: a shared worry list with owners and due dates.
Store your security policies with a proper approval flow. When an auditor asks "can you prove this policy was reviewed?" — you can. One click. Versioned history included.
Think: a document library that remembers who approved what, and when.
Upload screenshots, exports, or signed documents. Risk Ledger creates a mathematical fingerprint of each file — your auditor can verify it was never changed after you uploaded it.
Think: receipts that prove a document is exactly as you left it.
The document every ISO 27001 auditor asks for on day one — the Statement of Applicability — is generated automatically from your live data. Every time you add a control, it updates. No spreadsheet. No manual assembly.
Think: the final exam writes itself from your notes.
Color-coded risk summary. Coverage progress. Overdue items surfaced first. Leadership sees the picture without digging into details. Auditors get a read-only view scoped to what they need.
Think: a traffic-light report, always current, no manual updates.
If your organization runs on ChainDeploy's blockchain infrastructure, your evidence is generated automatically by the network — not uploaded manually. The ledger is the audit trail.
Think: evidence that exists before anyone has to create it.
A prospect's security team asked for proof you take security seriously. You didn't have it. The deal stalled. Risk Ledger is how you unblock it — and make sure it never happens again. You can start building your compliance program today, without a compliance team, without a consultant, and without pulling engineering off the roadmap.
How it's different
Both tools help you prepare for audits. Here's the difference that matters when an auditor starts asking hard questions about the integrity of your records.
Tools like Vanta
Vanta monitors whether your systems are set up correctly — is two-factor authentication on, is that storage bucket private, is that policy in place. Great for checking controls exist. But the evidence it collects sits in a database an administrator can edit. When your auditor asks for proof the records weren't touched, Vanta can't definitively answer that.
Risk Ledger
Every file you upload gets a unique fingerprint before it's saved. Your auditor can verify that fingerprint independently — if anyone changed the file afterward, the fingerprint wouldn't match. For organizations on ChainDeploy the evidence is generated by the blockchain network itself: impossible to alter.
| Feature | Vanta | Optro (AuditBoard) | Risk Ledger |
|---|---|---|---|
| Risk tracking with named owners | ✓ | ✓ | ✓ |
| All 93 ISO 27001 controls pre-loaded | ✓ | ✓ | ✓ |
| SOC 2 Type II framework included | ✓ | ✓ | ✓ |
| Statement of Applicability auto-generated | — | ✓ | ✓ |
| Tamper-proof evidence fingerprinting | — | — | ✓ |
| Blockchain-generated immutable evidence | — | — | ✓ via ChainDeploy |
| Start without a sales call | — | — | ✓ 2 minutes |
How it works
Step 1
Name a risk
Anything you're worried about. Plain language. Risk Ledger figures out how serious it is.
Step 2
Add what you're doing about it
Your plan for the risk. We map it to ISO 27001 or SOC 2 automatically — you don't need to know the framework.
Step 3
Upload proof it's working
A screenshot or document. We fingerprint it so auditors can verify it later.
Step 4
Your reports write themselves
The audit checklist and action plan your auditor needs are generated live from your data.
Step 5
Share with leadership or auditors
Your board sees the dashboard. Your auditor gets a scoped, read-only evidence view.
Who it's for
"We just lost a deal because we don't have ISO 27001. How fast can we fix this?"
CEO or co-founder, 25-60 person B2B SaaS company
Risk Ledger lets you start building your compliance program today — no procurement, no consultant kickoff, no engineering detour. You can show a prospect real, documented progress within a week. The external certification audit comes later, but you'll be ready for it.
Unblock your pipeline →"ISO 27001 just landed on my plate. My team has zero bandwidth for a 6-month compliance project."
CTO or VP Engineering, 50-120 person company
Risk Ledger is structured enough to delegate without hand-holding. Each step is clear and bounded. Your engineers spend 2-4 hours a week, not a parallel quarter-long project. The audit report generates itself at the end.
See the full workflow →"A major client just told us we need ISO 27001 to stay on their vendor list."
CEO or COO, professional services firm — MSP, law firm, or accountancy
You don't need an in-house security team. Risk Ledger walks you through every step in plain English, without requiring you to know the framework. We've helped businesses without a single technical staff member get audit-ready.
Book a walkthrough →Getting started
No setup call. No purchase order. No prerequisites. Here's exactly what to do first.
Something like: "Our cloud storage might be publicly readable" or "We've never tested what happens if our database goes down." One sentence is enough. Risk Ledger calculates how serious it is automatically.
No compliance vocabulary required — plain English works perfectly.
→ Open the risk formA "control" is just the thing you're doing (or planning to do) to manage the risk. Risk Ledger maps it to the right section of ISO 27001 or SOC 2 automatically. You don't need to know the framework numbers.
→ Add a controlA screenshot of a setting, an export from your cloud provider, a signed policy document — whatever shows the risk is being managed. Risk Ledger creates a tamper-proof fingerprint so your auditor can verify it hasn't been changed since you uploaded it.
→ Upload evidenceAfter the first three steps, your compliance dashboard already shows real data — how serious your risks are, how much of ISO 27001 you've covered, what still needs attention. This is the view your leadership team and auditors use.
→ Open the dashboardRisks that have a named owner actually get fixed. Add your CTO, your IT provider, or your external consultant. They don't need a full account to be assigned tasks.
→ Add a teammateYour data and privacy
Everything you enter is scoped to your organization. No other company ever sees your risks, policies, or evidence.
Policies need to be approved before they are finalized. What you share with auditors is explicitly scoped — drafts and internal notes stay private.
Your team adds and reviews. Managers approve. Owners run the program. Auditors get read-only access to what they need — nothing more.
Every file you upload gets a unique fingerprint. Your auditor can verify that fingerprint independently — proof that nothing was altered after you submitted it.
Auditor access is read-only and scoped. They get the compliance trail — not your working notes, not your draft policies, not your internal discussions.
Organizations on ChainDeploy get evidence generated directly by their network — not manually uploaded. It's impossible to alter. The ledger is the proof.
You do not need a compliance background. You do not need a consultant on retainer. You do not need to pull engineering off your roadmap. Add your first risk in two minutes — and your audit report starts building itself from that moment forward.